On Wed, Feb 22, 2012 at 03:37:29PM -0500, Bruce Momjian wrote:
> On Wed, Feb 22, 2012 at 05:22:29PM -0300, Alvaro Herrera wrote:
> > Not sure about this. If the upgrades completes successfully and the
> > file is not renamed at the last minute due to some error, that would be
> > a problem as well, because now the old cluster would happily run and
> > perhaps corrupt the data files from under the new cluster.
>
> Well, the basic problem is that the user, before pg_upgrade started,
> installed a new cluster that works. If we rename the old control, but
> rename it back on failure, there are cases we will miss, kill like -9 or
> a server crash, and it will not be obvious to them that the control file
> was renamed.
>
> Of course, if we only rename on success, and there is kill -9 or server
> crash, the old cluster is still start-able, like the new one.
>
> One good argument for the rename early is that on a server crash, the
> system is probably going to restart the database automatically, and that
> means the old server.
>
> Right now we have a clear message that they need to rename the control
> file to start the old server. Not sure what the new wording would look
> like --- let me try.
I have thought about this, and feel that it would be odd to lock the old
cluster at the start of the upgrade, and then unlock it on a failure,
particularly because we can't always unlock it, e.g. operating system
crash.
A cleaner solution would be to lock it when we complete the upgrade,
which I have done in the attached patch. I have also added a warning
about restarting the old server when link mode is used, and updated the
documentation to match the new behavior.
Patch attached. I would like to apply this to 9.2/HEAD.
---------------------------------------------------------------------------
Performing Consistency Checks
-----------------------------
Checking current, bin, and data directories ok
Checking cluster versions ok
Checking database user is a superuser ok
Checking for prepared transactions ok
Checking for reg* system OID user data types ok
Checking for contrib/isn with bigint-passing mismatch ok
Creating catalog dump ok
Checking for prepared transactions ok
Checking for presence of required libraries ok
If pg_upgrade fails after this point, you must re-initdb the
new cluster before continuing.
Performing Upgrade
------------------
Analyzing all rows in the new cluster ok
Freezing all rows on the new cluster ok
Deleting new commit clogs ok
Copying old commit clogs to new server ok
Setting next transaction ID for new cluster ok
Resetting WAL archives ok
Setting frozenxid counters in new cluster ok
Creating databases in the new cluster ok
Adding support functions to new cluster ok
Restoring database schema to new cluster ok
Removing support functions from new cluster ok
Linking user relation files
ok
Setting next OID for new cluster ok
Creating script to delete old cluster ok
Adding ".old" suffix to old global/pg_control ok
If you want to start the old cluster, you will need to remove
the ".old" suffix from /u/pgsql.old/data/global/pg_control.old.
Because "link" mode was used, the old cluster cannot be safely
started once the new cluster has been started.
Upgrade complete
----------------
Optimizer statistics are not transferred by pg_upgrade so
consider running:
vacuumdb --all --analyze-only
on the newly-upgraded cluster.
Running this script will delete the old cluster's data files:
/usr/local/pgdev/pg_upgrade/delete_old_cluster.sh
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +